Security researchers to target Adobe Flash flaws

Security researchers to target Adobe Flash flaws

29th Jan 09:56

Security specialists have turned their attention to vulnerabilities in Adobe Flash-driven websites.

At next week's Black Hat conference in Washington. Foreground Security's senior security researcher Michael Bailey intends to perform live attacks against some of the top websites to show they can be compromised by exploiting what he says are design flaws in Adobe Flash.

"The point I will try to make is Flash is just as exploitable as any point on the web," says Bailey, adding the two dozen or so websites he may target have been notified in advance of the weaknesses he's detected. While declining to name the specific sites that may be subject to his probes, he says they will include social-networking sites, major news outlets as well as technology companies.

The issues around Adobe Flash to be highlighted in his live demonstration are not something subject to simple patching by Adobe, according to Bailey.

Adobe is generally aware of the planned presentation though not the specifics of it, and Adobe's director of product security and privacy Brad Arkin says it sounds as though Bailey might be pointing out "common web programming errors that developers would commonly make." Adobe's website makes available information, including training and materials, for helping developers with secure coding, he notes.

Potential points of vulnerability in other areas are also expected to be highlighted at the Black Hat DC security event.

David Byrne, senior security consultant at Trustwave, says he and colleague Rohini Sulatycki will show how the failure to apply known cryptographic controls to the ViewState in three web application programming frameworks - Microsoft ASP.Net, Sun Mojarra and Apache MyFaces - can allow attackers to read data stored on a server. ViewState is described as a technique that allows web application frameworks to create persistence in visual elements to maintain a constant look and feel across multiple Web pages.

"It's possible for an attacker to read data stored on a server that shouldn't be available to any user, authorised or otherwise," says Byrne, who says there will be a live demonstration of the attack (Trustwave will also make a tool available to help security professionals identify vulnerable applications). Bryne says the type of structural weakness Trustwave will reveal has been hypothesized about but never demonstrated as a proven flaw.

The remedy is using cryptographic controls based on encryption keys that are included in all three frameworks. "Our demonstration will show that under no situations should an application be put [forward on the web] without this security," Byrne said. He adds that sometimes developers avoid using them because of performance reasons or simply ignore best security practices.

Several other presentations are expected, including those who will discuss new techniques for hacking hardware, video-surveillance systems, the Internet Explorer browser, Oracle 11g and the iPhone. Security researcher Matthieu Suiche will tackle the Mac OS X in regards to physical-memory analysis with new research that shows a snapshot of machine state at a specific time.